-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3999
    VMware vCenter Server updates address arbitrary file read and SSRF
             vulnerabilities (CVE-2021-21980, CVE-2021-22049)
                             25 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vCenter Server
                   VMware Cloud Foundation
Publisher:         VMWare
Operating System:  VMware ESX Server
                   Virtualisation
Impact/Access:     Access Confidential Data -- Unknown/Unspecified
                   Reduced Security         -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22049 CVE-2021-21980 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2021-0027.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-2021-0027
CVSSv3 Range: 6.5-7.5
Issue Date: 2021-11-23
Updated On: 2021-11-23 (Initial Advisory)
CVE(s): CVE-2021-21980, CVE-2021-22049
Synopsis: VMware vCenter Server updates address arbitrary file read and SSRF
vulnerabilities (CVE-2021-21980, CVE-2021-22049)

1. Impacted Products

  o VMware vCenter Server (vCenter Server)
  o VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to
VMware. Updates are available to remediate these vulnerabilities in affected
VMware products.

3a. vCenter Server updates address arbitrary file read vulnerability in the
vSphere Web Client (CVE-2021-21980)

Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file
read vulnerability. VMware has evaluated the severity of this issue to be in
the Important severity range with a maximum CVSSv3 base score of 7.5 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue to gain access to sensitive information.

Resolution

To remediate CVE-2021-21980 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

None.

Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter
Server 7.x, therefore this issue is not applicable to vCenter Server 7.x
release line.


Acknowledgements

VMware would like to thank ch0wn of Orz lab for reporting this issue to us.

Response Matrix:

Product Version Running CVE Identifier CVSSv3 Severity  Fixed      Workarounds Additional
                On                                      Version                Documentation
vCenter 7.0     Any     CVE-2021-21980 N/A    N/A       Unaffected N/A         N/A
Server
vCenter 6.7     Any     CVE-2021-21980 7.5    important 6.7 U3p    None        None
Server
vCenter 6.5     Any     CVE-2021-21980 7.5    important 6.5 U3r    None        None
Server

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product    Version Running CVE Identifier CVSSv3 Severity  Fixed      Workarounds Additional
                   On                                      Version                Documentation
Cloud
Foundation 4.x     Any     CVE-2021-21980 N/A    N/A       Unaffected N/A         N/A
(vCenter
Server)
Cloud
Foundation 3.x     Any     CVE-2021-21980 7.5    important Patch      None        None
(vCenter                                                   Pending
Server)

3b. vCenter Server updates address SSRF vulnerability in the vSphere Web
Client (CVE-2021-22049)

Description

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request
Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has
evaluated the severity of this issue to be in the Moderate severity range with
a maximum CVSSv3 base score of 6.5 .

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may
exploit this issue by accessing a URL request outside of vCenter Server or
accessing an internal service.

Resolution

To remediate CVE-2021-22049 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.

Workarounds

None.

Additional Documentation

None.

Notes

vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter
Server 7.x, therefore this issue is not applicable to vCenter Server 7.x
release line.

Acknowledgements

VMware would like to thank magiczero from SGLAB of Legendsec at Qi'anxin Group
for reporting this issue to us.

Response Matrix:

Product Version Running CVE Identifier CVSSv3 Severity Fixed      Workarounds Additional
                On                                     Version                Documentation
vCenter 7.0     Any     CVE-2021-22049 N/A    N/A      Unaffected N/A         N/A
Server
vCenter 6.7     Any     CVE-2021-22049 6.5    moderate 6.7 U3p    None        None
Server
vCenter 6.5     Any     CVE-2021-22049 6.5    moderate 6.5 U3r    None        None
Server

Impacted Product Suites that Deploy Response Matrix 3b Components:

Product    Version Running CVE Identifier CVSSv3 Severity Fixed      Workarounds Additional
                   On                                     Version                Documentation
Cloud
Foundation 4.x     Any     CVE-2021-22049 N/A    N/A      Unaffected N/A         N/A
(vCenter
Server)
Cloud
Foundation 3.x     Any     CVE-2021-22049 6.5    moderate Patch      None        None
(vCenter                                                  Pending
Server)

4. References

Fixed Version(s) and Release Notes:

vCenter Server 6.7 U3p
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P&
productId=742&rPId=78421
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-vcenter-server-67u3p-release-notes.html

vCenter Server 6.5 U3r
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R&
productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u3r-release-notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22049

FIRST CVSSv3 Calculator:
CVE-2021-21980: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22049: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/
PR:N/UI:N/S:C/C:L/I:L/A:L

5. Change Log

2021-11-23 VMSA-2021-0027
Initial security advisory.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZ7efuNLKJtyKPYoAQgybQ//RWB98dO1feAcLLlodda5Lq5T8BihZMiY
mHE7n62RpvDpq9HNxIlfLRIHQ62E+L1Jxiup84y7TZMssWCA7PoWqPg3BTcuPySv
NczSjEDJoJm1SLK3DMUtvzMLoJqNv7yUpEEucHzZXKspLWEJtkWYqaYXhWN7zY0a
nTWrrsamv4DrzoBYiu1Z0sK5n8V8BWUHUCC6w5boo+1/vbyBM5J6lc/hCviNfvor
cCc3GFpACL1c5mhHQ21Pz79fFLPoZFpOKRaHviUM94UFFZGVXm1DX+hGkrCQdHaV
Jk5LCrxaWaQhkb0Ma4tqLetkCti5nEi5SoeRYxBmWmprcvKGRiRXYiICga9XMhuU
9CCKAJ7h+Z3DVPfgNWfdBP+3GwpPx7y45eJL+h6x58sVLnamA38303a2trfUwRyy
PfVjEbF64eKH8HRPFtDRn9vtLBjviqxyDrDGpR5UFTPygV/5LLsS7yDHBSFWyS50
Kyh2mWvINLhvqwxbct7mgU0n8mRDl2RZil2Y5GH31REfftW7BEh0h8UPiu5C0f4x
aiPJMDxhePntcvl045wlB0Vp/B3sKIC2vrOdTod6CCQy8eXIXiAW7rw4p3ZCRiEm
r2zjmc7B6T4Blf+RPPU3GNgy2NyQBGjYt+WVjypUtPEeh2h+XNvDRnfptMIsDuoD
88sbR8e+9nk=
=VwAP
-----END PGP SIGNATURE-----